Senior Identity & Access Management (IAM) Engineer
Quick Overview
Job Description
Senior Identity & Access Management (IAM) Engineer
Role Overview
City of Hope is seeking an elite, highly technical Senior IAM Engineer to architect, secure, and operate our enterprise identity infrastructure [1, 2]. This role is a critical position focused on modernizing our hybrid identity footprint, enforcing zero-trust architecture, and securing privileged access. The ideal candidate possesses deep, hands-on engineering mastery across the Microsoft Entra ID suite, SailPoint Identity Governance, Active Directory, and BeyondTrust PAM [3, 4]. You will be responsible for eliminating identity risk, automating the Joiner-Mover-Leaver (JML) lifecycle, and providing high-confidence identity security across our healthcare and research networks [2].
Core Technical Stack
- Identity Platforms: Microsoft Entra ID (Azure AD), Active Directory (AD) [3].
- Identity Governance (IGA): SailPoint [3, 4].
- Privileged Access Management (PAM): BeyondTrust [4].
- Protocols & Standards: SAML, OIDC, OAuth 2.0, Kerberos, LDAP, KQL.
Key Responsibilities
☁️ Microsoft Entra ID & Hybrid Identity Operations
- Tenant & Core Identity: Maintain Entra ID tenant architecture, service accounts, directory roles, and emergency break-glass account governance.
- Hybrid Identity & Synchronization: Manage Entra Connect and Cloud Sync topologies, resolve complex attribute authority matching issues, and monitor global synchronization health.
- Groups & RBAC: Define enterprise security group standards, engineer dynamic assignment rules, and build scalable Role-Based Access Control (RBAC) and least-privilege authorization models.
🛡️ Authentication, Access Control & Application Identity
- MFA & Passwordless: Design and enforce MFA policies, authentication methods, passwordless configurations (FIDO2, Temporary Access Pass/TAP), and manage exception architectures.
- Conditional Access (CA): Architect and troubleshoot advanced, risk-based Conditional Access strategies tracking application, network, and device postures.
- SSO & Application Integration: Own the full lifecycle of application registrations, enterprise apps, OAuth consent workflows, SAML/OIDC configurations, and token claims mapping.
🔐 Privileged & Governance Controls (SailPoint & BeyondTrust)
- Identity Governance (IGA): Partner to optimize automated SailPoint Joiner-Mover-Leaver (JML) lifecycle workflows, access packages, entitlement management, separation of duties (SoD), and user access reviews.
- Privileged Access Management (PAM): Architect and configure BeyondTrust and Entra Privileged Identity Management (PIM) to enforce Just-In-Time (JIT) access, admin role approvals, and privileged session auditing.
- External Identity (B2B): Enforce guest user lifecycle configurations, cross-tenant synchronization, external vendor access reviews, and naming standards.
🚨 Identity Security, Compliance & Incident Response
- Security Monitoring: Leverage Entra Identity Protection and Microsoft Sentinel integrations to proactively triage identity alerts and anomalies.
- Compliance & Auditing: Respond to identity-centric incident escalations, gather evidence for regulatory audits, and author Standard Operating Procedures (SOPs).
Required Qualifications
- Experience: 7+ years of dedicated Identity and Access Management (IAM) engineering experience within an enterprise environment.
- Platform Mastery: Proven hands-on engineering experience configuring and maintaining Microsoft Entra ID (Azure AD) and on-premises Active Directory [3].
- Governance Tools: Deep technical experience interacting with SailPoint for identity lifecycle automation and access governance [3, 4].
- Privileged Infrastructure: Hands-on experience operating BeyondTrust or Entra PIM for privileged credential vaulting and session management [4].
- Automation: Strong scripting capabilities (PowerShell, Microsoft Graph API) to automate administrative identity tasks.
- Education: Bachelor’s degree in Computer Science, Information Security, or equivalent professional experience.
Preferred Certifications
- Microsoft Certified: Identity and Access Administrator Associate (SC-300)
- Microsoft Certified: Azure Administrator Associate (AZ-104)
- Certified Information Systems Security Professional (CISSP)
- SailPoint Certified IdentityNow/IdentityIQ Engineer or BeyondTrust Certified Engineer [4]
Similar jobs
Staff Robotics Engineer, Maritime
Anduril Industries · Quincy, United States
31 minutes ago$254k - $336k/yrSenior Robotics Engineer, Maritime
ANDURIL INDUSTRIES · Quincy, United States
32 minutes ago$220k - $292k/yrApplications Engineer
Arrow Electronics, Inc. · Lake Mary, United States
34 minutes ago$87.9k - $115.1k/yrApplications Engineer
Arrow Electronics, Inc. · Santa Clara, United States
34 minutes ago$87.9k - $115.1k/yrApplications Engineer
Arrow Electronics, Inc. · Johns Creek, United States
34 minutes ago$87.9k - $115.1k/yrApplications Engineer
Arrow Electronics, Inc. · Marlborough, United States
34 minutes ago$87.9k - $115.1k/yr